I mostly agree, but as someone pointed out, the zone operator will be immediately (and painfully) aware of the mishap. Just as if you have a syntax error in your zone file. I fail to see how this result in 'worse' availability compared to what we have today.
Regarding your What … ? questions, I agree you need to answer them, but well, they should be easy to answer if you intend to publish signed zones. And, if you cannot positively answer those questions for your zone and your three or four slaves, well, what can you expect from the Internet as a whole ? regards, ~Carlos On Aug 27, 2013, at 3:51 PM, "UFJORw==" <ufj...@gmail.com> wrote: > On Tue, Aug 27, 2013 at 6:06 PM, Carlos M. Martinez > <carlosm3...@gmail.com> wrote: >> when I read 'an authoritative nameserver SHOULD NOT publish an invalid zone >> _ever_', well, I was struck by how obvious this is, and a bit ashamed at how >> I had never thought about it. This is something that should have always been >> in place. >> >> Same for [A|I]XFR. Slaves MUST refuse transferring invalid zones ! In that >> way they might keep an outdated but still validly signed zone. > > Hi, > > This sounds to me like a bad/complex idea. > > That would mean having a full-fledged DNSSEC validator in every > authserv: what a software bloat! > And what about the validation policy? What is an "invalid signature"? > What keys were used to verify the signatures? Local trust anchors? The > root? Which version of the root keys? > Should we trust the most specific key or only the root or should they > be both valid? > What if the domain is an island and no DS is published on purpose? > What if a DLV is published because the parent does not accept DS? > Which DLV database should you trust? > What if the authserv does not support the signature or the hashing algorithm? > What if the authserv is clock-drifting? > And finally: are all of these parameters the same as those in the > validators that will query the authserv? > > If you got any of these wrong, the zone will not be published. > Do not expect a good availability/resiliency from that mess. > > Please, let's keep authservers as simple as possible. > > Regards, _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
